This Briefing note provides the LIBE Committee with background and contextual information on PRISM/FISA/NSA activities and US surveillance programmes, and their specific impact on EU citizens’ fundamental rights, including privacy and data protection.

Prior to the PRISM scandal, European media underestimated this aspect, apparently oblivious to the fact that the surveillance activity was primarily directed at the rest-of-the-world, and was not targeted at US citizens. The note argues that the scope of surveillance under the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 (FAA) has very strong implications on EU data sovereignty and the protection of its citizens’ rights.

The first section provides a historical account of US surveillance programmes, showing that the US authorities have continuously disregarded the human right to privacy of non-Americans. The analysis of various surveillance programmes (Echelon, PRISM) and US national security legislation (FISA, PATRIOT and FAA) clearly indicates that surveillance activities by the US authorities are conducted without taking into account the rights of non-US citizens and residents. In particular, the scope of FAA creates a power of mass-surveillance specifically targeted at the data of non-US persons located outside the US, including data processed by ‘Cloud computing’, which eludes EU Data Protection regulation.

The second section gives an overview of the main legal gaps, loopholes and controversies of these programmes and their differing consequences for the rights of American and EU citizens. The section unravels the legal provisions governing US surveillance programmes and further uncertainties in their application, such as:

– serious limitations to the Fourth Amendment for US citizens
– specific powers over communications and personal data of “non-US persons”;
– absence of any cognizable privacy rights for “non-US persons” under FISA

The section also shows that the accelerating and already widespread use of Cloud computing further undermines data protection for EU citizens, and that a review of some of the existing and proposed mechanisms that have been put in place to protect EU citizens’ rights after data export, actually function as loopholes.

Finally, some strategic options for the European Parliament are developed, and related recommendations are suggested in order to improve future EU regulation and to provide effective safeguards for protection for EU citizens’ rights.

The companies named in the PRISM slides issued prompt denials of “direct access” to their datacentres, mentioned in the “marketing” slides that revealed PRISM’s existence. Their position was that they were simply complying with a mandatory court order, and they had never heard of the PRISM codename (which is not surprising since this was an NSA codeword for a Top Secret programme). Microsoft asserted that they only responded to requests referencing specific account identifiers, and Google and Facebook denied they had “black boxes” stationed in their networks giving “direct access”. The companies are constrained by the secrecy provisions of s.702, on pain of contempt or even espionage charges. Google and Microsoft are now suing the government for permission to publish a breakdown of the number of persons affected by FISA orders.

However there is no substantive inconsistency between the carefully wordsmithed (and apparently co-ordinated) company denials and the reports of PRISM. The phrase “direct access” was likely intended to distinguish this modality from “upstream” collection (see above), not necessarily implying a literal capability to extract data without the company’s knowledge. However, such literal “direct access” is not precluded by the 702 statute, and it may be that this has already occurred with some other companies, or may in future be permitted by the FISC.

A critical further development resulted from a keen observation by The New York Times on August 8th that in the targeting procedures published on June 20th, the “selectors” used to specify the information to be accessed under 702 could include arbitrary search terms. This ought not to be surprising from a plain reading of the statute, but it emphasized that Americans’ (and of course non-Americans’) privacy could be implicated in arbitrary trawls through a mass of data, rather than access being confined to account identifiers judged 50% likely to be non-American. A further story disclosed that at the government’s request in 2011 the FISA court reversed an earlier ruling and thenceforth permitted arbitrary search terms even if these included targeting factors characteristic of Americans.

Thus it appears that the theoretical protections, which in law existed only for Americans, have been very substantially undermined by successively expansive government requests to the court.

…

2.2.3 The Fourth Amendment does not apply to non-USPERs outside the US

The connection between the controversy over the s.215 PATRIOT Act power and the use of the FISA 702 power in the PRISM programme can now be explained. The database of 5 years of details of domestic and international calls was used to establish a counter-terrorist justification (according to the “three hops” principle). A second database was then checked of a directory the NSA maintains of telephone numbers believed to belong to Americans. If that check indicated the number was probably not that of an American, then the contents of that telephone call could be listened to with any further authorisation, under the FISA 702 law. Otherwise, if the number seemed probably that of an American, a further particular warrant for the interception would have to be obtained (under a different section of FISA), justifying the intrusion to a much higher legal standard, and with reference to the circumstances of the individual case.

However a close reading of the s.215 shows that an alternative purpose (other than a connection to terrorism) is “to obtain foreign intelligence information not concerning a United States person”. From a non-US perspective this may be an important point which has not so far featured in any of the analysis made in the US, nor is it clear how this provision would interact with the already tangled skein of contested legality. However it is a further illustration of US legislation, which discriminates between the protections afforded by the Constitution to its own citizens, and everybody else.

Some remarkable interviews have been given by former NSA Director Gen. Hayden, in which he stressed that “the Fourth Amendment – that prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause – is not an international treaty”, and that the US enjoys a “home field advantage” of untrammelled access to foreign communications routed via US territory, or foreign data stored there.

These statements sit uncomfortably with speeches and statements made by US State Department officials prior to 2012 at fora including the Council of Europe’s “Octopus” conference on Cybercrime, and the annual International Conference of Privacy and Data Protection Commissioners. These statements lauded the protections afforded by the Fourth Amendment, and since they were directed at an international audience to provide re-assurance about America’s respect for privacy, in retrospect they can only be construed as deceptive. The author publicly challenged one representative in 2012 to state categorically that the Fourth Amendment applied to non-US persons (located outside the US), and they fell silent.

…

2.2.4 Cloud computing risks for non-US persons

The interim Protect America Act of 2007 law mentioned above was set to expire shortly before the Presidential election of 2008, and its scope was limited to interception of telephony and Internet access providers. Candidate-in-waiting Obama gave his approval to a bipartisan agreement to put PAA and its immunities for telecommunications companies on a permanent basis with the FISA Amendment Act 2008, which was enacted in July 2008.

When FAA was introduced, it contained an extra three words that apparently went unnoticed and unremarked by anyone50. By introducing “remote computing services” (a term defined in ECPA 1986 dealing with law enforcement access to stored communications), the scope was dramatically widened from Internet communications and telephony to include Cloud computing.

Cloud computing can be defined in general terms as the distributed processing of data on remotely located computers accessed through the Internet. From 2007 Internet industry marketing evangelized the benefits of Cloud computing to business, governments and policy-makers, beginning with Google and then rapidly followed by Microsoft and others, becoming a new business software sector.

In 2012 the LIBE Committee commissioned a briefing Note on “Fighting Cybercrime and Protecting Privacy in the Cloud” from the Centre for European Policy Studies (CEPS) and the Centre d’Etudes sur les Conflits, Liberté et Securité (CCLS), to which the author was invited to contribute. Sections of the Note clearly asserted that Cloud computing and related US regulations presented an unprecedented threat to EU data sovereignty.